Platform: Code4rena
Start Date: 24/03/2023
Pot Size: $49,200 USDC
Total HM: 20
Participants: 246
Period: 6 days
Judge: Picodes
Total Solo HM: 1
Id: 226
League: ETH
Rank: 157/246
Findings: 2
Award: $13.27
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: HHK
Also found by: 019EC6E2, 0Kage, 0x52, 0xRobocop, 0xTraub, 0xbepresent, 0xepley, 0xfusion, 0xl51, 4lulz, Bahurum, BanPaleo, Bauer, CodeFoxInc, Dug, HollaDieWaldfee, IgorZuk, Lirios, MadWookie, MiloTruck, RedTiger, Ruhum, SaeedAlipoor01988, Shogoki, SunSec, ToonVH, Toshii, UdarTeam, Viktor_Cortess, a3yip6, auditor0517, aviggiano, bearonbike, bytes032, carlitox477, carrotsmuggler, chalex, deliriusz, ernestognw, fs0c, handsomegiraffe, igingu, jasonxiale, kaden, koxuan, latt1ce, m_Rassska, n1punp, nemveer, nowonder92, peanuts, pontifex, roelio, rvierdiiev, shalaamum, shuklaayush, skidog, tank, teddav, top1st, ulqiorra, wait, wen, yac
0.1353 USDC - $0.14
https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L240
When ETH cannot be directly deposited into the Rocket pool according to https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L120 the price will be calculated from the current state of the uniswap pool https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L240.
If the balance of the RETH derivative is high enough to trigger the use of the uniswap oracle in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73. The preDepositPrice can be manipulated by skewing the uniswap pool resulting in a higher mintAmount in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L98.
Only RETH as derivative and balance is high enough to make ethPerDerivative use the Uniswap pool in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73
Price of 1.1 ETH per RETH in the Uniswap pool and Rocket pool.
Underlying value of stake pool is 1100 ETH and total supply is 1100.
RETH derivative contains 1000 RETH.
Attacker flashloans bunch of RETH and swaps for ETH. Making the price in the Uniswap pool 1 ETH per RETH.
Because the price is determined via uniswap the underlyingvalue of the pool calculated in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73 will be 1000. So the predeposit price will be ~0.909 ETH
The totalStakeValueEth in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L92 will be 100 ETH because the price used their is coming from the RocketPool (not uniswap).
The mintAmount will be 110 ETH
Now the uniswap is skewed to its original ratio.
Underlying value of stake pool is 1200 ETH and total supply is 1210.
Now the attacker can withdraw ~109.09 ETH base on the 110 shares.
Notepad
Calculator
Use a TWAP from the Uniswap pool or possible chainlink if available.
Another problem is when the price calculated for the Rocket derivative in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73 could be different w.r.t. https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L92. In the first calculation it should use the price based on the deposit amount and not the balance of the pool.
#0 - c4-pre-sort
2023-04-04T11:55:18Z
0xSorryNotSorry marked the issue as duplicate of #601
#1 - c4-judge
2023-04-21T16:11:07Z
Picodes marked the issue as duplicate of #1125
#2 - c4-judge
2023-04-21T16:13:41Z
Picodes marked the issue as satisfactory
#3 - c4-judge
2023-04-24T21:46:36Z
Picodes changed the severity to 3 (High Risk)
🌟 Selected for report: brgltd
Also found by: 0x3b, 0xAgro, 0xGusMcCrae, 0xNorman, 0xRajkumar, 0xSmartContract, 0xTraub, 0xWagmi, 0xWaitress, 0xffchain, 0xhacksmithh, 0xkazim, 0xnev, 3dgeville, ArbitraryExecution, Aymen0909, BRONZEDISC, Bason, Bloqarl, BlueAlder, Brenzee, CodeFoxInc, CodingNameKiki, Cryptor, DadeKuma, DevABDee, Diana, Dug, Englave, Gde, Haipls, HollaDieWaldfee, Ignite, Infect3d, Jerry0x, Josiah, Kaysoft, Koko1912, KrisApostolov, Lavishq, LeoGold, Madalad, PNS, Rappie, RaymondFam, RedTiger, Rickard, Rolezn, Sathish9098, SunSec, T1MOH, UdarTeam, Udsen, Viktor_Cortess, Wander, adriro, ak1, alejandrocovrr, alexzoid, arialblack14, ayden, bin2chen, brevis, btk, c3phas, carlitox477, catellatech, ch0bu, chaduke, ck, climber2002, codeslide, descharre, dingo2077, ernestognw, fatherOfBlocks, favelanky, georgits, helios, hl_, inmarelibero, juancito, ks__xxxxx, lopotras, lukris02, m_Rassska, mahdirostami, maxper, nadin, navinavu, nemveer, p_crypt0, peanuts, pipoca, pixpi, qpzm, rbserver, reassor, roelio, rotcivegaf, scokaf, siddhpurakaran, slvDev, smaul, tnevler, tsvetanovv, turvy_fuzz, vagrant, wen, yac, zzzitron
13.1298 USDC - $13.13
Overall code is simple and self-explanatory. The codebase is small and to the point. Modern solidity is applied.
Problem: https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/WstEth.sol#L87 returns the amount of stETH for one wstETH. And it should return the amount of ETH for one wstETH.
Solution: Use the curve or chainlink oracle to determine the amount of ETH per wstETH
Problem: It is possible to set the weight of a derivative that doesnt exist https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L169. Though it doesnt cause issues its probably good to revert as feedback.
Solution: require the derivative to exist
Problem: Both https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/SfrxEth.sol#L52 and https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/WstEth.sol#L49 https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L59 should probably be restricted to not allow extreme slippage which could be used to do a malicious arbitrage.
Solution: Have an upper bound to the slippage. A one for all solution could be done in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L206
Problem: function https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L182 allows the owner to add a malicious derivative and could then change weights to move all eth to this contract and steal the funds.
Solution: In this case the owner should ideally be behind a timelock, but maybe this is not okay for pausing the staking so potentially add an additional role for immediate actions and put the rest behind timelock.
Problem: In the scenario where the weights add up to be more than the uint256 can hold the transaction will revert (https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L192, https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L172)
Solution: Use a smaller uint8 or similar for storing the weights.
#0 - c4-sponsor
2023-04-10T19:15:30Z
elmutt marked the issue as sponsor confirmed
#1 - c4-judge
2023-04-24T18:51:50Z
Picodes marked the issue as grade-b